java.lang.Object
org.elasticsearch.xpack.core.security.SecurityContext
A lightweight utility that can find the current user and authentication information for the local thread.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionbooleancanIAccessResourcesCreatedBy(Authentication resourceCreatorAuthentication) Checks whether the user or API key of the passed in authentication can access the resources owned by the user or API key of this authentication.booleancanIAccessResourcesCreatedWithHeaders(Map<String, String> resourceCreateRequestHeaders) voidcopyIndicesAccessControlFromReaderContext(ReaderContext readerContext) voidcopyIndicesAccessControlToReaderContext(ReaderContext readerContext) voidExecutes consumer in a new thread context after removingAuthorizationEngine.ParentActionAuthorization.voidexecuteAfterRewritingAuthentication(Consumer<ThreadContext.StoredContext> consumer, TransportVersion version) Runs the consumer in a new context after setting a new version of the authentication that is compatible with the version provided.voidexecuteAsInternalUser(InternalUser internalUser, TransportVersion version, Consumer<ThreadContext.StoredContext> consumer) Runs the consumer in a new context as the provided user.voidvoidexecuteAsSystemUser(TransportVersion version, Consumer<ThreadContext.StoredContext> consumer) <T> TexecuteWithAuthentication(Authentication authentication, Function<ThreadContext.StoredContext, T> consumer) Runs the consumer in a new context as the provided user.Returns the authentication information, or null if the current request has no authentication info.Returns the "secondary authentication" (seeSecondaryAuthentication) information, ornullif the current request does not have a secondary authentication contextgetUser()Returns the current user information, or null if the current request has no authentication info.voidputIndicesAccessControl(IndicesAccessControl indicesAccessControl) Returns the current user information, or throwsElasticsearchSecurityExceptionif the current request has no authentication information.voidsetInternalUser(InternalUser internalUser, TransportVersion version) Sets the user forcefully to the provided user.voidsetParentAuthorization(AuthorizationEngine.ParentActionAuthorization parentAuthorization)
-
Constructor Details
-
SecurityContext
-
-
Method Details
-
requireUser
Returns the current user information, or throwsElasticsearchSecurityExceptionif the current request has no authentication information. -
getUser
Returns the current user information, or null if the current request has no authentication info. -
getAuthentication
Returns the authentication information, or null if the current request has no authentication info. -
getAuthorizationInfoFromContext
-
getParentAuthorization
-
setParentAuthorization
public void setParentAuthorization(AuthorizationEngine.ParentActionAuthorization parentAuthorization) -
getSecondaryAuthentication
Returns the "secondary authentication" (seeSecondaryAuthentication) information, ornullif the current request does not have a secondary authentication context -
getThreadContext
-
putIndicesAccessControl
-
copyIndicesAccessControlToReaderContext
-
copyIndicesAccessControlFromReaderContext
-
setInternalUser
Sets the user forcefully to the provided user. There must not be an existing user in the ThreadContext otherwise an exception will be thrown. This method is package private for testing. -
executeAsInternalUser
public void executeAsInternalUser(InternalUser internalUser, TransportVersion version, Consumer<ThreadContext.StoredContext> consumer) Runs the consumer in a new context as the provided user. The original context is provided to the consumer. When this method returns, the original context is restored. -
executeAsSystemUser
-
executeAsSystemUser
public void executeAsSystemUser(TransportVersion version, Consumer<ThreadContext.StoredContext> consumer) -
executeWithAuthentication
public <T> T executeWithAuthentication(Authentication authentication, Function<ThreadContext.StoredContext, T> consumer) Runs the consumer in a new context as the provided user. The original context is provided to the consumer. When this method returns, the original context is restored. -
executeAfterRewritingAuthentication
public void executeAfterRewritingAuthentication(Consumer<ThreadContext.StoredContext> consumer, TransportVersion version) Runs the consumer in a new context after setting a new version of the authentication that is compatible with the version provided. The original context is provided to the consumer. When this method returns, the original context is restored. -
executeAfterRemovingParentAuthorization
Executes consumer in a new thread context after removingAuthorizationEngine.ParentActionAuthorization. The original context is provided to the consumer. When this method returns, the original context is restored preserving response headers. -
canIAccessResourcesCreatedBy
Checks whether the user or API key of the passed in authentication can access the resources owned by the user or API key of this authentication. The rules are as follows: * True if the authentications are for the same API key (same API key ID) * True if they are the same username from the same realm - For file and native realm, same realm means the same realm type - For all other realms, same realm means same realm type plus same realm name * An user and its API key cannot access each other's resources * An user and its token can access each other's resources * Two API keys are never able to access each other's resources regardless of their ownership. This check is a best effort and it does not account for certain static and external changes. See also security limitations -
canIAccessResourcesCreatedWithHeaders
public boolean canIAccessResourcesCreatedWithHeaders(Map<String, String> resourceCreateRequestHeaders) throws IOException- Throws:
IOException
-